I believe dm-crypt/luks is the preferred method of block device encryption. It's more portable across OSes, and a little easier to recover from lost metadata (since it stores the metadata with the partition).
–
KeithMay 30 '11 at 6:21

1 Answer
1

You need patched kernel, losetup and mount. The package is usually called util-linux, you can get the patches from here. If you don't want to boot from a loop-aes device it's really simple:

# Write 65 lines of random data to keyfile.txt This will be used as a key for
# the data on the disk and your password will be as a key for this file.
# You will need this file and the password to access your data.
# Keep them safe.
gpg -c --cipher-algo aes256 --digest-algo sha512 < keyfile.txt > keyfile.gpg
rm keyfile.txt # Better if you never write this to disk in the first place.
losetup -e aes256 -H sha512 -K keyfile.gpg /dev/loopX /dev/sdXX
mke2fs -t ext4 /dev/loopX
mount /dev/loopX /mnt
# To mount it later
mount -o loop=/dev/loopX,encryption=aes256,hash=sha512,gpgkey=keyfile.gpg /dev/sdXX /mnt

If you want to encrypt the root partition then I recommend reading the extensive documentation. Basically you will need to create an initramfs and store it on an unencrypted boot partition.

You can store the keyfile.gpg (and the boot partition if you decide to encrypt the root) on a removable USB device.